Inside the mind of a hacker

Writing about security is kind of like writing about insurance. As a responsible adult, you know it’s something you should do every now then, but deep down, you’re really worried that many readers won’t make it past the second sentence. (I hope you’re still here.)

Having recently had the privilege of moderating a panel entitled “Inside the Mind of a Hacker” at the CyberSecurity Forum event that occurred as part of CES, however, I’ve decided it’s time. The panel was loaded with four smart and opinionated security professionals who hotly debated a variety of topics related to security and hacking.

Speaking to the theme of the panel, it became immediately clear that the motivations for the “bad guy” hackers (there was, of course, a brief, but strong show of support for the white hat “good” hackers) are exactly what you’d expect them to be: money, politics, pride, power and revenge.

Beyond some of the basics, however, I was surprised to hear the amount of dissent on the topics discussed, even by those with some impressive credentials (including work at the NSA, managing cyber intelligence for Fortune 500 companies and government agencies, etc.). One particularly interesting point, for example, highlighted that hackers are people too—meaning, they make mistakes. In fact, thankfully, apparently quite a lot of them. While in retrospect that seems rather obvious, given the aura of invincibility commonly attributed to hackers through popular media, it wasn’t something I expected to hear.

There are few if any things that can be completely blocked from hacking efforts, but huge progress could be made in cyber security if companies and people would just start actually using some of the tools already available.”

Another key point was the methodology used by most hackers. Most agreed that the top threat is from phishing attacks, where employees at a company or individuals at home are lured into opening an attachment or clicking on a link that triggers a series of, well, unfortunate events. Even with up-to-date anti-malware software and security-enhanced browsers, virtually everyone (and every company) is vulnerable to these increasingly sophisticated and tricky attacks. However, several panelists pointed out that too much attention is spent trying to remedy the bad situations created by phishing attacks, instead of educating people about how to avoid them in the first place.

Looking forward, the rapid growth of ransomware, when companies or individuals are locked out of their systems and/or data until a ransom is paid to unlock it, was one of the panelists’ biggest concerns. Attacks of this sort are growing quickly and most believe the problem will get much worse in 2017. In many cases, organized crime is behind these types of incidents, and with the popularity of demanding payment in bitcoin or other payment methods that are nearly impossible to trace, the issue is very challenging.

Another concern the panel tackled was security issues for Internet of Things (IoT) devices. Many companies getting involved with IoT have little to no security experience or knowledge and that’s led to some gaping security holes that automated hacking tools are quick to find and exploit. Thankfully, the group agreed there is some progress happening here with newer IoT devices, but given the wide range of products already in market, this problem will be with us for some time. One potential solution that was discussed was the idea of an IoT security standard (along the lines of a UL approval), which is a topic I wrote about several months back. (See “It’s Time for an IoT Security Standard”)

Another potential benefit could come from improved implementations of biometric authentication, such as fingerprint and iris scans, as well as leveraging what are commonly called “hardware roots of trust.” Essentially, this provides a kind of digital ID that can be used to verify the authenticity of a device, just as biometrics can help verify the authenticity of an individual. Both of these concepts enable more active use of multi-factor authentication, which can greatly strengthen security efforts when combined with encryption, stronger security software perimeters, and other common sense guidelines.

As the panel was quick to point out, there are few if any things that can be completely blocked from hacking efforts. Nevertheless, huge progress could be made in cyber security if companies and people would just start actually using some of the tools already available. Instead of worrying about solving the toughest corner cases, good security needs to start with the basics and build from there.